Well, technically, I don't think IPA needs DNS entries simply for
synchronization, so you could technically give it the same domain suffix.
However, if you plan on using it for the purpose of clients to connect, it will
need to be on its own domain.
The reason it is highly suggested for different domains to have different
suffixes within DNS is because clients will 'dig' that domain for Kerberos and
LDAP type records when looking for domain servers. Something like the below,
for example:
# dig -t SRV _kerberos._tcp.EXAMPLE.COM.
If this returns both AD /and/ IPA servers, your clients will have a bad time.
Sent via carrier pigeons
-------- Original message --------
From: Striker Leggette via FreeIPA-users <[email protected]>
Date: 6/14/17 8:12 PM (GMT-05:00)
To: FreeIPA users list <[email protected]>
Cc: Striker Leggette <[email protected]>
Subject: [Freeipa-users] Re: FreeIPA - Active Directory integration and domain
names
Yes
Sent via carrier pigeons
-------- Original message --------
From: bogusmaster--- via FreeIPA-users <[email protected]>
Date: 6/14/17 6:06 AM (GMT-05:00)
To: [email protected]
Cc: [email protected]
Subject: [Freeipa-users] FreeIPA - Active Directory integration and domain
names
Hi,
I have a question regarding establishing one-way trust between FreeIPA
and Active Directory. In the documentation it is stated that to use a
cross-forest trust it is required for FreeIPA to have a different domain
than that of Active Directory. Does it also apply to the synchronization
scenario?
Thank you
Bart
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
